[wp-hackers] protecting wp-content/plugins ?

Thu Aug 23 23:12:59 GMT 2007

On 8/23/07, Otto <otto at ottodestruct.com> wrote:
>
> On 8/22/07, Tom Barta <tbarta at gmail.com> wrote:
> > Sure, perfectly-written plugins don't have any issues
>
> I'm sorry, but you also missed my point here.
>
> A plugin either a) has an exploit or b) does not. For the "no exploit"
> case, this sort of code is wholly unnecessary. For the exploit case,
> this sort of code doesn't actually fix the exploitable code.

It's more like this...

A plugin either a) has a known exploit, b) has no known exploits but at
least one unknown exploit, or c) has no known or unknown exploits.  It's
rather tough to *prove* something is in the (c) camp because of all of the
work involved, but with simple codebases it's simple enough to "nearly
prove" it.  For every script that is in camp (a), it was at some point in
camp (b) as well (when one person discovered it and potentially used it
privately before disclosing it).

What you are all missing is that "hackers" don't scan for exploits.
> There's *no point* in scanning for exploits. It's a web page. Scanning
> for an exploit and actually performing the exploit are *the same
> thing* from the standpoint of the hacker. It's just a single HTTP
> request.

I fully realize that scanning directory listings isn't how exploits get
found; I see it in my own web server logs (e.g. a bajiliion attempts at
xmlrpc.php in various subdirectories).  That doesn't change my point: If the
script is a library script and not a web page, it /should not/ be accessible
from the document root.

> but most computer security is based around layers of protection.
>
> I agree with this, however this is an invalid layer of protection. It
> doesn't solve the exploit. You're still vulnerable with this sort of
> code, if the plugin is vulnerable in the first place.

Sure it does.  If I have a PHP script that is vulnerable when executed
directly, but then I move it out of the document root, it can no longer be
executed directly (via HTTP requests) and therefore is no longer a real
vulnerability (assuming it's secure as a library).  It's the same argument
with linux rootkits.  Most exploits are only vulnerable to local users, so
if you successfully deny the public local access, you reduce the risk that a
local exploit will cause your server to be compromised.

Obviously, you can't take scripts that are meant to be directly executed and
remove them from the document root like this.  But if what someone in the
thread said earlier is true (80-90% of plugins are pure library code), that
means 80-90% of the plugins can be moved outside of the document root,
thereby reducing the likelihood that a newly-discovered exploit is actually
usable.

-- 
Tom